Be paranoid - protecting sources in the digital age

A journalist's right to protect the anonymity of their sources is a principle enshrined in the law of many countries.

As the European Court of Human Rights ruled in one notable case, "protection of journalistic sources is one of the basic conditions for press freedom... Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest."

For journalists covering stories involving repressive regimes, however, the main concern isn't that our sources could end up in court - it's that they could be exposed or even killed for sharing information the authorities would rather keep secret.

But with so much potentially sensitive information sitting on laptops and smartphones, and being shared through phone calls, emails and text messages, how can a journalist ensure the safety of their sources without acting like an amateur James Bond?

For guidance, I spoke to a senior consultant in the international cybersecurity industry.

"Assume the worst," was his blunt advice.

"If you're in a foreign country and you're using their infrastructure, it's reasonably safe to assume that people will be listening in and that your communications aren't secure.

"Also assume that if your computer is out of your sight at any time, or if anyone takes it off you, someone will have had a look at the hard drive and put software on it to get future information from you without your knowledge.

"Commercial antivirus software will deal with everyday threats and is important to have, but you've got to assume you're dealing with a more sophisticated adversary who'll have ways of getting around it," he said.

In reality, it's almost impossible to be sure that any communication is absolutely secure.

"There's no silver bullet - you can't go out and buy one thing that will give you 100% security," my source admitted.

Even so, here are some simple tips that journalists can employ to create a 'layered defence' system to enhance confidentiality and help keep sources safe:

- Keep any device that holds sensitive information with you at all times. Don't let it out of your sight. If it's impractical to carry your laptop with you 24 hours a day, consider using an encrypted memory stick, or create an encrypted hidden partition on your hard drive using commercially available software.

- Create a "Pocket PC" - a USB stick loaded with the free Linux operating system - to reduce the risk of sensitive data being left on an infected computer.

- Lock your laptop and smartphone with a strong password made up of a long string of letters and numbers. Also make sure that the laptop BIOS is locked down and has a strong password. Don't use any word appearing in a dictionary. A determined hacker will be able to bypass a password but it may deter an opportunist intruder.

- Hide sensitive details within a Word document by saving it in a white font to make it 'invisible' at first glance against a white background.

- Don't save documents in obvious places like the My Documents folder - store them in more obscure sections of your hard drive. Give documents 'boring' file names that won't arouse curiosity if someone casually starts browsing through your files or demands to look at your computer at a checkpoint.

- Use an open source Voice Over IP (VoIP) application such as Asterisk, rather than landlines or mobile phone networks, for more secure voice calls. Because the source code is freely available, any security loopholes are often quickly spotted and patched by developers. Making calls via Skype is safer than using local telephone networks, but because the source code is closed it's difficult to know who's able to hack it.

- 'Chunk' sensitive information and send it in small blocks using different methods of communication - email, SMS, instant messenger. Anyone monitoring your digital traffic may be able to intercept part of the message but they're less likely to be able to see the full picture if it's divided up and sent over various platforms.

- Use free or commercially available steganography software which enables you to hide encrypted data inside innocent-looking files such as photographs.

- If you're concerned that your internet activity is being monitored, mask it by using the Tor browser, which conceals the user's location and web usage. It's slower than normal browers but is more secure.

Although it's easy to become paranoid about who may be trying to monitor your communications, my cybersecurity source believes these techniques should be standard practice for any journalist concerned about information security.

"You wouldn't leave your notebook on a park bench or a train, so why would you leave your data wide open for all to see," he says.